NSA Looking to Exploit Internet of Things, Including Biomedical Devices, Official Says

THE NATIONAL SECURITY AGENCY is researching opportunities to collect foreign intelligence — including the possibility of exploiting internet-connected biomedical devices like pacemakers, according to a senior official.

“We’re looking at it sort of theoretically from a research point of view right now,” Richard Ledgett, the NSA’s deputy director, said at a conference on military technology at Washington’s Newseum on Friday.

Biomedical devices could be a new source of information for the NSA’s data hoards — “maybe a niche kind of thing … a tool in the toolbox,” he said, though he added that there are easier ways to keep track of overseas terrorists and foreign intelligence agents.

When asked if the entire scope of the Internet of Things — billions of interconnected devices — would be “a security nightmare or a signals intelligence bonanza,” he replied, “Both.”

“As my job is to penetrate other people’s networks, complexity is my friend,” he said. “The first time you update the software, you introduce vulnerabilities, or variables rather. It’s a good place to be in a penetration point of view.”

When the agency is looking to exploit different new devices, the NSA has to prioritize its resources, which are usually focused on the “bad guys’” tech of choice rather than popular gadgets in the U.S., Ledgett explained.

That’s why the NSA wasn’t able to help the FBI crack the iPhone of the San Bernardino shooter, he said, because the agency hadn’t invested in exploiting that particular model of phone. “We don’t do every phone, every variation of phone,” he said. “If we don’t have a bad guy who’s using it, we don’t do that.”

Ledgett isn’t the only intelligence official to identify the growing Internet of Things as a possibility for global spying. The Director of National Intelligence himself said during a Senate hearing on worldwide threats in February that interconnected devices could be useful “for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”

Clapper’s office has since cautioned in a letter to Sen. Ron Wyden, D-Ore., that “information obtained from a refrigerator, a washing machine, or a child’s toy” can’t replace other types of signals intelligence, like the content of terrorists’ communications.

Ledgett also said it wasn’t the agency’s place to mandate security standards for companies when it comes to new devices.

But NSA can’t ignore the potential that biomedical devices might be hacked by outsiders, too. Ledgett said no NSA employee has needed an internet-connected biomedical device yet — but that when it does happen, it will be a concern for an agency that doesn’t allow for cellphones.